beboppy
2010-04-19, 23:41
Hi, I have Vista x64 and a few moments ago I was loading a website in Firefox 3.6.3 that used Flash and Spybot popped up stating it had encountered and terminated a process that is listed as malicious. I selected the default "Inform me again" and "Delete the associated file."
Looking in the Resident log file afterwards I see:
9/04/2010 10:27:01 PM Allowed (based on user decision) value "Shockwave Updater" (new data: "C:\Windows\SysWOW64\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100458 -Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)") added in System Startup user entry!
19/04/2010 10:27:01 PM Encountered and terminated WhenU.Search in C:\Windows\SysWOW64\Adobe\SHOCKW~1\SWHELP~1.EXE!
19/04/2010 10:27:05 PM Allowed (based on authenticode whitelist) value "Spybot - Search & Destroy" (new data: ""C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
I know Spybot appears whenever there's a Shockwave update which would explain the "SWHELP~1.EXE -Update" etc, as it's done this before, but I have never had 'WhenU.Search' appear in this file before, nor can I find any trace of it elsewhere.
Since it only appears to be attached to this new update file could it merely be part of the update?
Looking in the Resident log file afterwards I see:
9/04/2010 10:27:01 PM Allowed (based on user decision) value "Shockwave Updater" (new data: "C:\Windows\SysWOW64\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100458 -Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)") added in System Startup user entry!
19/04/2010 10:27:01 PM Encountered and terminated WhenU.Search in C:\Windows\SysWOW64\Adobe\SHOCKW~1\SWHELP~1.EXE!
19/04/2010 10:27:05 PM Allowed (based on authenticode whitelist) value "Spybot - Search & Destroy" (new data: ""C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
I know Spybot appears whenever there's a Shockwave update which would explain the "SWHELP~1.EXE -Update" etc, as it's done this before, but I have never had 'WhenU.Search' appear in this file before, nor can I find any trace of it elsewhere.
Since it only appears to be attached to this new update file could it merely be part of the update?